Cryptographic weakness on Debian systems
Posted May 13, 2008 14:55 UTC (Tue) by pharm
In reply to: Cryptographic weakness on Debian systems
Parent article: Cryptographic weakness on Debian systems
The patch just comments out the non-zeroing of the relevant buffers if I understand it correctly:
$ diff -r -C5 openssl-0.9.8c-etch1/crypto/rand/md_rand.c openssl-0.9.8c-
*** openssl-0.9.8c-etch1/crypto/rand/md_rand.c Tue May 13 15:50:57 2008
--- openssl-0.9.8c-etch3/crypto/rand/md_rand.c Tue May 13 15:51:05 2008
*** 269,282 ****
- * Don't add uninitialised data.
MD_Update(&m,(unsigned char *)&(md_c),sizeof(md_c));
buf=(const char *)buf + j;
--- 269,279 ----
It does seem a little weird: if that was the only source of randomness, then it's not a very good
source & needs fixing!
On the other hand if it was just one source of randomness, then it shouldn't be that big a deal.
Anyone on the "inside" able to comment?
to post comments)